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Abstract 

In studying how to communicate over a public channel with an active adversary, Dodis 
and Wichs introduced the notion of a non-malleable extractor. A non-malleable extractor dra- 
matically strengthens the notion of a strong extractor. A strong extractor takes two inputs, 
a weakly-random x and a uniformly random seed y, and outputs a string which appears uni- 
form, even given y. For a non-malleable extractor nmExt, the output nmExt(a;, y) should appear 
uniform given y as well as nmExt(x, ^(y)), where A is an arbitrary function with A{y) ^ y. 

We show that an extractor introduced by Chor and Goldreich is non-malleable when the 
entropy rate is above half. It outputs a linear number of bits when the entropy rate is 1/2-1- a, 
for any a > 0. Previously, no nontrivial parameters were known for any non-malleable extractor. 
To achieve a polynomial running time when outputting many bits, we rely on a widely-believed 
conjecture about the distribution of prime numbers in arithmetic progressions. Our analysis 
involves character sum estimates, which may be of independent interest. 

Using our non-malleable extractor, we obtain protocols for "privacy amplification" : key 
agreement between two parties who share a weakly-random secret. Our protocols work in the 
presence of an active adversary with unlimited computational power, and have asymptotically 
optimal entropy loss. When the secret has entropy rate greater than 1/2, the protocol follows 
from a result of Dodis and Wichs, and takes two rounds. When the secret has entropy rate 6 for 
any constant i5 > 0, our new protocol takes a constant (polynomial in 1/S) number of rounds. 
Our protocols run in polynomial time under the above well-known conjecture about primes. 
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1 Introduction 



Bennett, Brassard, and Robert [BBR88] introduced the basic cryptographic question of privacy 
amplification. Suppose Alice and Bob share an n-bit secret key X, which is weakly random. This 
could occur because the secret is a password or biometric data, neither of which is uniformly 
random, or because an adversary Eve managed to learn some information about a secret which 
previously was uniformly random. How can Alice and Bob communicate over a public channel to 
transform X into a nearly uniform secret key, about which Eve has negligible information? We 
measure the randomness in X using min-entropy. 

Definition 1.1. The min-entropy of a random variable X is 

HooiX)= min log2(l/Pr[X = a;]). 

a;Gsupp(Jf ) 

For X £ {0, l}*^, we call X an (n, Hoo{X))-source, and we say X has entropy rate Hoo{X)/n. 

We assume Eve has unlimited computational power. If Eve is passive, i.e., cannot corrupt the 
communication between Alice and Bob, then it is not hard to use randomness extractors [NZ96] to 
solve this problem. In particular, a strong extractor suffices. 

Notation. We let [s] denote the set {1,2,..., s}. For £ a positive integer, Ui denotes the uniform 
distribution on {0, 1}^, and for S a set. Us denotes the uniform distribution on S. When used as 
a component in a vector, each Ui or Us is assumed independent of the other components. We say 
~e Z if the random variables W and Z have distributions which are e-close in variation distance. 

Definition 1.2. A function Ext : {0, 1}" x {0, l}'^ — t- {0, 1}"^ is a strong {k, e)-extractor if for every 
source X with min-entropy k and independent Y which is uniform on {0, 1}'^, 

(Ext(x,y),y) {Um,Y). 

Using such an extractor, the case when Eve is passive can be solved as follows. Alice chooses a 
fresh random string Y and sends it to Bob. They then both compute Ext(A', y). The property of 
the strong extractor guarantees that even given Y, the output is close to uniform. 

The case when Eve is active, i.e., can corrupt the communication, has recently received attention. 
Maurer and Wolf [MW97] gave a one-round protocol which works when the entropy rate of the 
weakly-random secret X is bigger than 2/3. This was later improved by Dodis, Katz, Reyzin, and 
Smith [DKRS06] to work for entropy rate bigger than 1/2. However in both cases the resulting 
nearly- uniform secret key R is significantly shorter than the min-entropy of X. Dodis and Wichs 
[DW09] showed that there is no one-round protocol for entropy rate less than 1/2. Renner and 
Wolf [RW03] gave the first protocol which works for entropy rate below 1/2. Kanukurthi and 
Reyzin [KR09] simplified their protocol and showed that the protocol can run in 0{s) rounds 
and achieve entropy loss O(s^) to achieve security parameter s. (Recall that a protocol achieves 
security parameter s if Eve cannot predict with advantage more than 2"'^ over random. For an 
active adversary, we further require that Eve cannot force Alice and Bob to output different secrets 
and not abort with probability more than 2~*.) Dodis and Wichs [DW09] improved the number of 
rounds to 2 but did not improve the entropy loss. Chandran, Kanukurthi, Ostrovsky, and Reyzin 
[CKORIO] improved the entropy loss to 0{s) but the number of rounds remained 0(s). The natural 
open question is therefore whether there is a 2-round protocol with entropy loss 0{s). 
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Dodis and Wichs showed how such a protocol could be built using non-malleable extractors, 
which they defined. In the following definition of (worst-case) non-malleable extractor, think of an 
adversary changing the value of the seed via the function A. 

Definition 1.3. A function nmExt : [N] x [D] — t- [M] is a (/c, e)-non-malleable extractor if, for 
any source X with Hoo{X) > k and any function A : [D] — )• [D] such that A{y) ^ y for all y, the 
following holds. When Y is chosen uniformly from [D] and independent of X, 

(nmExt(X,y),nmExt(X,^(y)),y) ([/[a/j, nmExt(X,^(y)),y). 

Note that this dramatically strengthens the definition of strong extractor. In a strong ex- 
tractor, the output must be indistinguishable from uniform, even given the random seed. For 
a non-malleable extractor, a distinguisher is not only given a random seed, but also the out- 
put of the extractor with the given input and an arbitrarily correlated random seed. Note that 
nmExt(X, ^(y)) need not be close to uniform. The above "worst-case" definition is slightly weaker 
than the "average-case" definition needed by applications, but Dodis and Wichs showed that any 
worst-case (/c, e)-non-malleable extractor is also an average-case (k — log(l/e), 2e)-non-malleable 
extractor. See Subsection 3.2. 

Unfortunately, Dodis and Wichs were not able to construct such non-malleable extractors. 
Instead, they constructed "look-ahead extractors," which are weaker than non-malleable extractors, 
but nevertheless yielded the two-round, 0(s^)-entropy loss protocol mentioned above. 

Dodis and Wichs also showed the existence of non-malleable extractors. The existence of ex- 
cellent standard randomness extractors can be shown by the probabilistic method in a straightfor- 
ward way. For non-malleable extractors, the argument requires more work. Nevertheless, Dodis 
and Wichs showed that non- malleable extractors exist with k > 2m + 31og(l/e) -|- logd -|- 9 and 
d > log(n -k + 1) 21og(l/e) + 7, for N = 2"", M = 2*", and D = 2'^. 

The definition of non-malleable extractor is so strong that before our work, no explicit con- 
struction was known for any length seed achieving a one-bit output, even for min-entropy k = .99n. 
For example, a first attempt might be /(x, y) = x ■ y, where the inner product is taken over GF(2). 
However, this fails, even for min-entropy n — 1. To see this, take X to be the bit concatenated 
with Un-i- Let A{y) be y with the first bit fiipped. Then for all x in the support of X, one has 
f{x,y) = f{x,A{y)). 

Although general Hadamard codes don't work, we nevertheless show that a specific near- 
Hadamard code that comes from the Paley graph works for min-entropy k > n/2. The Paley 
graph function is nmExt(2;, y) = xix — y), where x and y are viewed as elements in a finite field F of 
odd order q and x is the quadratic character xi^) = x'-'^"^-'/^. (The output of x is in {=tl}) which 
we convert to an element of {0, 1}.) The function nmExt(rE, y) = xix + y) works equally well. The 
proof involves estimating a nontrivial character sum. 

We can output m bits by computing the discrete logarithm logg{x + y) mod M. This extractor 
was originally introduced by Chor and Goldreich [CG88] in the context of two-source extractors. 
To make this efficient, we need M to divide g — 1. A widely-believed conjecture about primes in 
arithmetic progressions implies that such a q is not too large (see Conjecture 3.7). Our result is 
stated as follows. 

Theorem 1.4. For any constants a,/3,7 > with /3 + 7 < a/2, there is an explicit (k = (1/2 -|- 
a)n, e) -non-malleable extractor nmExt : {0, 1}" x {0, 1}"' — )• {0, 1}"* for e = 2"^"^ and any m < (3n. 
It has seed length d = n and runs in polynomial time if Conjecture 3.7 holds or m = Oilogn). 
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As a direct corollary of Theorem 1.4 and the protocol of Dodis and Wichs, we obtain a 2-round 
protocol for privacy amplification with optimal entropy loss, when the entropy rate is 1/2 + a for 
any q > 0. This improves the significant entropy loss in the one-round protocols of Dodis, Katz, 
Reyzin, and Smith [DKRS06] and Kanukurthi and Reyzin [KR08]. 

Next, we use our non-malleable extractor to give a constant-round privacy amplification protocol 
with optimal entropy loss, when the entropy rate is 5 for any constant 6 > 0. This significantly 
improves the round complexity of [KR09] and [CKORIO]. It also significantly improves the entropy 
loss of [DW09], at the price of a larger, but still comparable (0(1) vs. 2), round complexity. Our 
result is stated as follows. 

Theorem 1.5. Under conjecture 3.7, for any constant < 6 < 1 and error 2~^('^") < e < 1/n, 
there exists a polynomial-time, constant-round {k = 6n,m = 5n — O (log ( 1/e) ), e) -secure protocol 
for privacy amplification. More specifically, the protocol takes number of rounds poly(l/(5) = 0(1), 
and achieves entropy loss k — m = poly(l/(5) log(l/e) = 0(log(l/e)). 

Subsequent work. Following the preliminary version of our work [DLWZll], Cohen, Raz, and 
Segev [CRSll] gave an alternative construction of a non-malleable extractor for min-entropy rate 
1/2 -|- a. Their construction has the advantage that it works for any seed length d with 2.01 log n < 
d < n, although their output length m remains small if d is small, i.e., m = Q(d). They further do 
not rely on any unproven assumption. Our construction, or at least the one-bit version, appears to 
be a special case of their construction. 

Inspired by their elegant work, we subsequently used ideas related to [CRSll] and [Raz05] to 
strengthen our character sum and show that our non-malleable extractor works even if the seed 
has entropy only 0(m + logn). In particular, this implies that our extractor can also use a seed as 
small as O(logn). We believe that their proof can also be modified to show that their construction 
works for weak seeds. 

To state our results, we define non-malleable extractors for weak seeds. 

Definition 1.6. A function nmExt : [N] x [D] — )• [M] is a (fc, A;', e)-non-malleable extractor if, for 
any source X with Hoq{X) > k, any seed Y with H^iY) > k' , and any function A : [D] — t- [D] 
such that A{y) ^ y for all y, the following holds: 

(nmExt(X,y),nmExt(X,^(y)),y) ([/[^/j, nmExt(X,^(y)),y). 

We can now state our theorem for weak seeds. We stress that we proved this theorem only after 
seeing [CRSll]. 

Theorem 1.7. For any e > and constant a > 0, there is a constant c < 8/a such that there 
is an explicit {k = (1/2 -|- a)n,k' ,e) -non-malleable extractor nmExt : {0,1}" x {0,1}'^ — )• {0,1}"* 
for d = n and k' = c(m -|- loge""*^ -|- logn). In particular, we can reduce the seed length d of our 
{k = (1/2 -|- a)n, e) -non-malleable extractor to d = c{m + loge^-*^ -|- logn). Our extractor runs in 
polynomial time if Conjecture 3.7 holds or m = O(logn). 

Organization. Since our first proof is for the non-malleable extractor, we begin with an overview 
of our privacy amplification protocol in Section 2. (Readers interested only in the non-malleable 
extractor can skip this section.) We discuss some preliminaries in Section 3, the non-malleable 
extractor in Section 4, and the character sum estimate in Section 5. Finally, we give full details 
of the privacy amplification protocol in Section 6. In Appendix A we give a generalization of the 
non-malleable extractor. 
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2 Overview of the Protocol for Privacy Amplification 



We first describe Dodis and Wiclis' optimal two-round protocol using a non-malleable extractor. 
The protocol also uses a cryptographic primitive: a one-time message authentication code (MAC). 
Roughly speaking, a MAC uses a private uniformly random key R to produce a tag T for a message 
m, such that without knowing the key, the probability that an adversary can guess the correct tag 
T' for another message m' ^ m is small, even given m and T. 

Now assume that we have a non-malleable extractor nmExt that works for any (n, A;)-source X. 
Then there is a very natural two-round privacy amplification protocol. In the first round Alice 
chooses a fresh random string Y and sends it to Bob. Bob receives a possibly modified string Y' . 
They then compute R = nmExt{X,Y) and R' = nmExt{X,Y') respectively. In the second round. 
Bob chooses a fresh random string W' and sends it to Alice, together with T' = MAC/j'(VF') by 
using R' as the MAC key. Alice receives a possibly modified version (W,T), and she checks if 
T = MACjj(W). If not, then Alice aborts; otherwise they compute outputs Z = Ext{X,W) and 
Z' = Ext{X, W) respectively, where Ext is a seeded strong extractor. The protocol is depicted in 
Figure 1. 

The analysis of the above protocol is also simple. If Eve does not change Y, then R = R' and is 
(close to) uniform. Therefore by the property of the MAC the probability that Eve can change W' 
without being detected is very small. On the other hand if Eve changes Y, then by the property 
of the non-malleable extractor, one finds that R' is (close to) independent of R. Thus in this case, 
again the probability that Eve can change W without being detected is very small. In fact, in this 
case Eve cannot even guess the correct MAC for W' with a significant probability. 

The above protocol is nice, except that we only have non-malleable extractors for entropy rate 

> 1/2. As a direct corollary this gives our 2-round privacy amplification protocol for entropy rate 

> 1/2. To get a protocol for arbitrary positive entropy rate, we have to do more work. 

We start by converting the shared weak random source X into a somewhere high min-entropy 
rate source. The conversion uses recent condensers built from sum-product theorems. Specifically, 
any n-bit weak random source with linear min-entropy can be converted into a matrix with a 
constant number of rows, such that at least one row has entropy rate 0.9.^ Moreover each row still 
has Q{n) bits. Note that since Alice and Bob apply the same function to the shared weak random 
source, they now also share the same rows. 

Now it is natural to try the two-round protocol for each row and hope that it works on the row 
with high min-entropy rate. More specifically, for each row i we have a two round protocol that 
produces Ri,R^ in the first round and Zi, Z'- in the second round. Now let g be the first row that 
has min-entropy rate 0.9. We hope that Zg = Z'g with high probability, and further that Zg,Zg 
are close to uniform and private. This is indeed the case if we run the two round protocol for each 
row sequentially (namely we run it for the first row, and then the second row, the third row, and 
so on), and can be argued as follows. 

Assume the security parameter we need to achieve is s, so each of Ri, R[ has 0(logn -|- s) bits 
by the property of the MAC. As long as s is not too large, we can fix all these random variables 
up to row g — 1, and argue that row g still has min-entropy rate > 1/2 (since each row has @{n) 
bits we can actually achieve a security parameter up to s = ^}{n)). Note that we have essentially 
fixed all the information about X that can be leaked to Eve. Therefore now for row g the protocol 

^In fact, the result is (close to) a convex combination of such matrices. For simplicity, however, we can assume 
that the result is just one such matrix, since it does not affect the analysis. 
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succeeds and thus Zg = Z'^ with high probabihty, and Zg, Zg are close to uniform and private. 

However, we don't know which row is the good row. We now modify the above protocol to 
ensure that, once we reach the first good row g, for all subsequent rows i, with i > g, we will have 
that Zi = Z'- with high probability, and further Zi,Z[ are close to uniform and private. If this is 
true then we can just use the output for the last row as the final output. 

To achieve this, the crucial observation is that once we reach a row i — \ such that = Z[_y, 
and Zi-\, Z[_^ are close to uniform and private, then Z[_^ can be used as a MAC key to authenticate 
W[ for the next row. Now if W[ = Wi for row z, then Zi = Z[ and Zi, Z[ will also be close to uniform 
and private. Therefore, we modify the two-round protocol so that in the second round for row i, 
not only do we use T[ = MACR^(Wj') to authenticate W/, but also we use L\ = MAC^/_^(Wj') to 
authenticate W[. 

This would have worked given that = Z[_^, and Z[_^ are close to uniform and private, 
except for another complication. The problem is that now T/ = MAC/^' (Wj') could leak information 
about to Eve, so is no longer private. Fortunately, there are known constructions of MACs 
that work even when the key is not uniform, but instead only has large enough average conditional 
min-entropy in the adversary's view. Specifically, Theorem 6.8 indicates that the security parameter 
of this MAC is roughly the average conditional min-entropy of the key minus half the key length, 
and the key length is roughly twice as long as the length of the tag. Therefore, we can choose a 
small tag length for T[ = MACjij/ (W/), and a large tag length for L'- = MAC^/ ^(W/). For example, 
if the tag length for T/ is 2s, and the tag length for T/2 is 4s, then the key length for is 8s. 
Thus the average min-entropy of conditioned on T/ is 8s — 2s = 6s, and we can still achieve 
a security parameter of 6s — 4s = 2s. 

Finally, the discussion so far implicitly assumed that Eve follows a natural "synchronous" 
scheduling, where she never tries to get one party out-of-sync with another party. To solve this 
problem, after each Phase i Bob performs a "liveness" test, where Alice has to respond to a fresh 
extractor challenge from Bob to convince Bob that Alice is still "present" in this round. This 
ensures that if Bob completes the protocol, Alice was "in-sync" with Bob throughout. However, 
Eve might be able to make Alice be out-of-sync with Bob, causing Alice to output a non-random 
key (and Bob reject). To solve this last problem, we add one more round at the end which ensures 
that Alice always outputs a random key (and Bob either outputs the same key or rejects). 

With this modification, the complete protocol is depicted in Figure 2. Essentially, for the first 
good row, the property of the non-malleable extractor guarantees that Eve cannot change Wg with 
significant probability. For all subsequent rows, by using the output Z'-_-^ from the previous row 
as the MAC key, the property of the MAC guarantees that Eve cannot change W- with significant 
probability. Therefore, the output for the last row can be used to authenticate the last seed of the 
extractor chosen by Alice (for the reason mentioned above) to produce the final output. 

Finally, we note that our final protocol has 0(1) rounds and achieves asymptotically optimal 
entropy loss is 0(s + logn), for security parameter s. 

3 Preliminaries 

We often use capital letters for random variables and corresponding small letters for their instanti- 
ations. Let \S\ denote the cardinality of the set S. Let Z,. denote the cyclic group Z/(rZ), and let 
¥q denote the finite field of size q. All logarithms are to the base 2. 
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3.1 Probability distributions 

Definition 3.1 (statistical distance). Let W and Z be two distributions on a set S. Their statistical 
distance (variation distance) is 

AiW, Z) max(|W^(r) - Z{T)\) = i ^ \W{s) - Z{s)\. 

We say W is e-close to Z, denoted W Z, if A{W, Z) < e. For a distribution D on a set S and 
a function /i : S* — )• T, let h{D) denote the distribution on T induced by choosing x according to D 
and outputting h(x). We often view a distribution as a function whose value at a sample point is 
the probability of that sample point. Thus — ZH^i denotes the ii norm of the difference of the 
distributions specified by the random variables W and Z, which equals 2A(W, Z). 



3.2 Average conditional min-entropy 

Dodis and Wichs originally defined non-malleable extractors with respect to average conditional 
min-entropy, a notion defined by Dodis, Ostrovsky, Reyzin, and Smith [DORS08]. 



Definition 3.2. The average conditional min-entropy is defined as 



HooiX\W) = -log{E^^W 



maxPr[X = x\W = w] 



log Eu,^iy 



2-H^{X\W=w) 



Average conditional min-entropy tends to be useful for cryptographic applications. By taking 
W to be the empty string, we see that average conditional min-entropy is at least as strong as 
min-entropy. In fact, the two are essentially equivalent, up to a small loss in parameters. We have 
the following lemmas. 

Lemma 3.3 ([DORS08]). For any s > 0, Pv^^w[Hoo{X\W = w) > Hoo{X\W) - s] > 1 - 2~'. 

Lemma 3.4 ([DORS08]). If a random variable B has at most 2^ possible values, then H^{A\B) > 
Hoo{A)-i. 

To clarify which notion of min-entropy and non-malleable extractor we mean, we use the term 
worst-case non-malleable extractor when we refer to our Definition 1.3, which is with respect to tra- 
ditional (worst-case) min-entropy, and average-case non-malleable extractor to refer to the original 
definition of Dodis and Wichs, which is with respect to average conditional min-entropy. 

Corollary 3.5. A (k, e)- average- case non-malleable extractor is a {k,e) -worst- case non-malleable 
extractor. For any s > 0, a {k,e) -worst- case non-malleable extractor is a {k + s,e + 2'^^)- average- 
case non-malleable extractor. 

Throughout the rest of our paper, when we say non-malleable extractor, we refer to the worst- 
case non-malleable extractor of Definition 1.3. 



3.3 Primes in arithmetic progressions 

To output more than logn bits, we will rely on a well-known conjecture about primes in arithmetic 
progressions. We begin with a definition. 
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Definition 3.6. Let p{r, a) denote the least prime in the arithmetic progression a modulo r. 

We can now state a special case of a well-known conjecture. 

Conjecture 3.7. There exists a constant c > 0, such that for r a power of 2 and a = 1, one has 
p{r,a) = O(rlog'^r). 

We don't really need r to be a power of 2; it would suffice if the conjecture held for integers r^, 
where r„ is a smooth integer of about n bits computable in time polynomial in n. This conjecture 
is widely believed for c = 2, all r, and all a relatively prime to r. For more on this conjecture, see, 
for example, the discussion following equation (1) of [HB78]. The best unconditional conclusion is 
substantially weaker. Thus, one has p{r,a) = 0{r^-'^) (see [XylU, HB92].) 

3.4 Fourier analysis 

The following definitions from Fourier analysis are standard (see e.g., [Ter99]) , although we nor- 
malize differently than in many computer science papers, such as [Rao07]. For functions f,g from 
a set S to C, we define the inner product {f,g) = X^^es D he a distribution on S, 
which we also view as a function from S to M. Note that Fi£i[f{D)] = (/, D). Now suppose we have 
functions h : S ^ T and g : T ^ C Then 

{goh,D) = ED[g{h{D))] = {g,h{D)). 

Let G be a finite abelian group, and let (j) a character of G, i.e., a homomorphism from G to 
C^. We call the character that maps all elements to 1 the trivial character. Define the Fourier 
coefficient f{4>) = {f,<P)- We let / denote the vector with entries f{(j)) for all (p. Note that for a 
distribution D, one has D{(t)) = Ed [(/>(£))]. 

Since the characters divided by y^|G| form an orthonormal basis, the inner product is preserved 
up to scale: {f,g) = \G\{f,g). As a corollary, we obtain Parseval's equality: 

\\f\\l = {fJ) = \G\{f,f) = \G\\\f\\l. 

Hence by Cauchy-Schwarz, 

< ^/\G\\\fy = WTy < ^/\G\\\f\k- (1) 

For functions /, g : S* — C, we define the function {f,g):SxS^Chy (/, g){x, y) = f{x)g{y). 
Thus, the characters of the group G x G are the functions {(j),<j)'), where (p and <j)' range over all 
characters of G. We abbreviate the Fourier coefficient (/, (7)((0, (/>')) by {f,g){(j),(j)'). Note that 

{x,y)eGxG \x£G J \yeG / 

3.5 A non-uniform XOR lemma 

We'll need the following extension of Vazirani's XOR lemma. We can't use traditional versions of 
the XOR lemma, because our output may not be uniform. Our statement and proof parallels Rao 
[Rao07]. 
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Lemma 3.8. Let (W, W) be a random variable on G xG for a finite abelian group G, and suppose 
that for all characters (j), (j)' on G with (j) nontrivial, one has 

\E^w,W'MW)c^'iW')]\<a. 

Then the distribution of (W,W') is a\G\ close to (U,W'), where U is the uniform distribution on G 
which is independent ofW'. Moreover, for / : G x G — )• M defined as the difference of distributions 
{W,W') - {U,W'), we have \\f\\e^ < a. 

Proof. As implied in the lemma statement, the value of /(a, b) is the probability assigned to (a, b) 
by the distribution of (W, W) minus that assigned by {U, W). First observe that 

M^') = if, i<p,cp')) = E^w^w')mw)cp'iw')]-E^u,w')m)^'iw% 

Since U and W are independent, this last term equals 

E(^u,w'MU)]E^u,w'0iW')]=EumU)]Ew¥iW')] = O, 

since (p is nontrivial. Therefore, by hypothesis, when (p is nontrivial, one finds that \ f{(j),(j)')\ < a. 
When (p is trivial, we get 

Mcp') = E^w,w'0iW')] - E^u,w')[<P'iW')] = 0. 
Hence ||/||,i < yW^\\\f\\i^ < \G\a. □ 

4 The Non-Malleable Extractor 

Our basic extractor was introduced by Chor and Goldreich [CG88]. They showed that it was a 
two-source extractor for entropy rates bigger than 1/2. Dodis and Oliveira [DO03] showed that it 
was strong. Neither result implies anything about non-malleability. 

To output m bits, we set M = 2*" and choose a prime power q > M. In our basic extractor, 
we require that M\{q — 1). Later, we remove this assumption. Fix a generator g of . We define 
nmExt : — t- Z^/ by nmExt(a;, y) = h{logg{x + y)). Here log^ z is the discrete logarithm of z with 
respect to g, and h : Zq^i — t- is given by h{x) = x mod M. 

In the special case m = 1, we only require that q is odd. In this case, nmExt{x,y) corresponds 
to the quadratic character of x -|- y, converted to {0, 1} output. This is efficient to compute. Since 
there is no known efficient deterministic algorithm to find an n-bit prime, we may take q = 3^, with 
3^-1 ^ 2" < 3^ 

For general M, we use the Pohlig-Hellman algorithm to compute the discrete log mod M. This 
runs in polynomial time in the largest prime factor of M. Since in our case M = 2™, this is 
polynomial time. 

We still need a prime or prime power q such that M\{q — 1). Unconditionally, we get a 
polynomial-time algorithm to output m = clogn bits for any c > 0. To output more bits effi- 
ciently, we rely on a widely believed conjecture. Under Conjecture 3.7, such a prime can be found 
efficiently by testing M -\- 1, 2M + 1, 3M -|- 1, . . . in succession. 

Now we prove that nmExt is a non-malleable extractor. 
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Theorem 4.1. The above function nmExt : — )■ Z,^f is a (k, e) -non-malleable extractor for e = 

Proof. The heart of our proof is a new character sum estimate, given in Theorem 5.2 (and Corol- 
lary 5.3). We now show how to deduce Theorem 4.1 from the character sum estimate and Lemma 3.8. 
Let X be a distribution with Hoo{X) > k, and let Y be uniform on ¥q. As is well-known, we 
may assume without loss of generality that X is uniform on a set of size 2^^. We set G = "Lm-, 
= (nmExt(X,y), nmExt(X,^(y))), and we condition on y = y. 
Since M|((7 — 1), we have that for a character of G, the function x(^) = '/'(^(logg(-2))) is 
a multiplicative character of Fg. Therefore, Corollary 5.3 shows that ((TV, = y) satisfies 

the hypotheses of Lemma 3.8 for some r^j^, where Ey^y[r/y] < r] for r] < q^^^2^~^^'^ . Thus, by 
Lemma 3.8, {{W, W')\Y = y) is Mr^j^-close to (([/, h(W'))\Y = y) for every y. Since this expression 
is linear in r/y, we conclude that {W, W , Y) is Mrj-close to {U, h{W'),Y), as required. □ 

Note that this theorem assumes that the seed is chosen uniformly from Fg, consistent with 
Definition 1.3. However, we may desire to have the seed be a uniformly random bit string. This 
causes a problem, since we may not be able to choose q close to a power of 2. If we use a d-bit seed 
where 2'^ < q < 2*^+^, then we can view the seed as an integer between and 2*^ — 1, or simply as 
an element of Fg with min-entropy at least (logg') — 1. We can handle this, and in fact much lower 
min-entropy in the seed, as follows. First, we recall the Definition 1.6 of a non-malleable extractor 
with a weakly-random seed. The following lemma shows that a non-malleable extractor with small 
error remains a non-malleable extractor even if the seed is weakly random. 

Lemma 4.2. A {k,e) -non-malleable extractor nmExt : [N] x [D] — >■ [M] is also a {k,k' ,e') -non- 
malleable extractor with e' = {D /2^ )e. 

Proof. For y G [D], let Ey = A((nmExt(X, y), nmExt(X, ^(y)), y), (t/^jv/] , nmExt(X, ^(y)), y)). Then 
for Y chosen uniformly from [D\, 

e > A((nmExt(X, Y), nmExt(X, A{Y)), Y), (C/[m], nmExt(X, A{Y)), Y)) = ^ 

Thus, for Y' with Hoc{Y') > k' , we get 

A((nmExt(X, Y'),nmExl{X,A{Y')),Y'),{U^M].^"^^^^{X,A{Y')),Y')) 

ye[D\ y£[D] 

□ 

It is now simple to analyze our non-malleable extractor as a function nmExt : {0, 1}" x {0, 1}"^ — t- 
{0, l}*". Here we work over Fg, where q is the smallest prime (or prime power) congruent to 1 
modulo M = 2"*. We let d = \\0g2 q\ , which is n + clogn -|- 0(1) under Conjecture 3.7. We could 
even let d = n and the error would only grow by n'^. 

Theorem 4.3. Under Conjecture 3.7 with constant c, for any n, k > n/2 + (c/2)logn, and 
m < k/2 — n/A— (c/4) log n, the above function nmExt : {0, 1}" x {0, l}*^ — )• {0, 1}"* is a polynomial- 
time computable, {k,e) -non-malleable extractor for e = 0{n^f^2^~^^/^~^/'^). 



9 



Proof. Suppose that Conjecture 3.7 holds for the constant c. Then q = 0(n'^2"), and the seed has 
min-entropy k' = d. Applying Lemma 4.2, we obtain error 



□ 

After seeing [CRSll], we improved our character sum to handle weak seeds, using ideas related 
to their work and [Raz05]. In particular, we showed Theorem 5.4, which implies the following 
theorem. 

Theorem 4.4. Under Conjecture 3.7, for k > (1/2 + a)n and k' > (7/a)(m + loge~^) + 81ogn, 
the above function is a {k,k' ,e) -non-malleable extractor. 

Proof. The theorem follows from Theorem 5.4 in the same way that Theorem 4.1 follows from 
Theorem 5.2. □ 



5 A Character Sum Estimate 

We now prove the necessary character sum estimate. We prove a somewhat more general statement 
than is needed for the one-bit extractor, as the general statement is needed to output many bits. 
Throughout this section, we take F = Fg to be a finite field with q elements. In addition, we suppose 
that X ■ — )-C^ is a nontrivial character of order d = q — 1, and we extend the domain of x to 
F by taking x(0) = 0- The following lemma is a consequence of Weil's resolution of the Riemann 
Hypothesis for curves over finite fields (see [Wei48]). In this context, we say that a polynomial 
/ E ¥[x] has m distinct roots when / has m distinct roots in the algebraic closure F of F, or 
equivalently that such holds in a splitting field for /. 

Lemma 5.1. Suppose that f £¥[x] is a monic polynomial having m distinct roots which is not a 
dth power in ¥[x]. Then 

Proof. This is immediate from Theorem 2C' of Schmidt [Sch76] (see page 43 of the latter source). 

□ 

We next consider two arbitrary characters, where the first is nontrivial; without loss of generality 
we may take these to be Xa{x) = (xix))"" and Xb{x) = {x{x))^, where < a < q—1 and < 6 < q—l. 
Now we establish the main character sum estimate. Note that we need the assumption that a ^ 0: 
if a = and b = (q — l)/2, we could take A{y) = and let S be the set of quadratic residues, and 
then one has no cancellation in the character sum. 



5.1 Character Sum for Uniform Seeds 

We begin by proving the character sum corresponding to uniformly random seeds. Although this 
follows from the more general character sum Theorem 5.4 below, the proof is simpler and gives 
intuition for the general character sum. Moreover, this theorem came before [CRSll], whereas the 
more general Theorem 5.4 came afterwards. 
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Theorem 5.2. Suppose that S is a non-empty subset o/F, and that A : ¥ ^ ¥ is any function 
satisfying the property that A{y) ^ y for all y G F. Then one has 



^\Y,Xais + y)xb{s + A{y)) ^ llVV/^|5|i/2. 

Proof Write Q = Y.ye¥\Y^seS Xai-s + y)xb{s + A{y)) . We begin by applying Cauchy's inequality 
to obtain 

^ (lYl\^Xa{s + y)xb{s + A{y)) = q Yl 
in which we have written 

ipsAv) = Xais + y)xbis + Aiy))xait + y)xb{t + Ay))- (2) 

Applying Cauchy's inequality a second time, we deduce that 

s,teS ye¥ 

By positivity, the sum over s and t may be extended from S to the entire set F, and thus we deduce 
that 

0' ^ E E i^s,t{y)i^sAz)- (3) 

s,te¥y,ze¥ 

On recalling the definition (2), we may expand the right hand side of (3) to obtain the bound 



y,ze¥ 



(4) 



where 

I'iy^ ^) = E ^"^^ + y)Xb{s + A{y))xa{s + z)xbis + A{z)). 

sgF 

Recall now the hypothesis that y / A{y). It follows that, considered as an element of ¥[x], the 
polynomial 

/i,,,(x) = (x + + A{y))'{x + + A{z)y~'~' 

can be a dth power only when y = z, or when y = A{z), a = b and z = A{y). In order to confirm 
this assertion, observe first that when y ^ z and y ^ A{z), then hy^z has a zero of multiplicity a 
at — y. Next, when y = A{z), one has z ^ y, and so when a ^ b the polynomial /ly^^ has a zero of 
multiplicity g — 1 + a — feat —y. Finally, when y = A{z) and a = b, then provided that z ^ A{y) 
one finds that hy^z has a zero of multiplicity g — 1 — a at —z. In all of these situations it follows that 
hy^z has a zero of multiplicity not divisible hy d = q — 1. When y z, and {y,z) / {A{z),A{y)), 
therefore, the polynomial hy^z{x) is not a dth power in F[x], and has at most 4 distinct roots. In 
such a situation, it therefore follows from Lemma 5.1 that 

I'iy.z) = Yx{hyAs)) 

se¥ 
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is bounded in absolute value by 3y^. Meanwhile, irrespective of the values of y and z, the expression 
v{y^z) is trivially bounded in absolute value by q. Substituting these estimates into (4), we arrive 
at the upper bound 

y& z&\{y,A{y)} 
y£V 

We may thus conclude that ^ ll^/'^q^/^\S\^/'^ . 

A direct computation yields the following corollary. 
Corollary 5.3. Under the hypotheses of the statement of Theorem 5.4, one has 



^y'>^b{s + A{y)) <vq\S\ 

y& seS 



where r] < 2q^/'^ /\S\^/'^ . 



□ 



5.2 Character Sum for Weak Seeds 

The work in this subsection came after [CRSll], and uses ideas related to their work and to [Raz05]. 

Theorem 5.4. For < a,r] < 1/2, suppose that S and T are non-empty subsets of ¥ with 
\S\ > |-7-| > max((l/r7)^/", (log(?)S), and that ^ : F ^ F is any function satisfying the 

property that A{y) / y for all y G F. Then for large enough q, we have 

Y.[E^-^' + y^^b{s + A{y))\<7]\T\\S\. 

yeT s<=S 

We prove this by choosing a suitable parameter r in the following theorem. 

Theorem 5.5. Suppose that S and T are non-empty subsets of F, and that A : ¥ ^ ¥ is any 
function satisfying the property that A{y) ^ y for all y £¥. Then for each natural number r, one 
has 

Yl\Y.^a{s + y)xb{s + A{y))\<.\rq^l^'^~^\S\^~^l^^^^n 

where 

Xr={{Ar-lf + {2r)'^q\Try 



l/{4r) 



Proof. Write 

= ^\Y,Xa{s + y)xbis + A{y)) 
yeT ses 

We begin by applying Cauchy's inequality to obtain 

yeT seS s,teSyeT 
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in which we have written 

ips,tiy) = xais + y)xbis + Aiy))xait + y)xbit + Ay))- (5) 

Applying Holder's inequality, we deduce that 

s,tes yeT 

By positivity, the sum over s and t may be extended from S to the entire set F, and thus we deduce 
that 

04r ^ |^|2.|5|4.-2 ^ ^ nV',,(yO?,,(y.+0- (6) 

On recalling the definition (5), we may expand the right hand side of (6) to obtain the bound 

04. ^ |^|2.|5|4.-2 ^ |^(y)|2^ (7) 

where 

r 

^(y) = XI n + yi)Xb{s + A{yi))Xa{s + yr+i)Xb{s + A{yr+i)). 

S& i=l 

We now consider the circumstances in which, considered as an element of ¥[x], the polynomial 

r 

hy{x) = Hix + yirix + A{yi))\x + + 
1=1 

is a dth power. Consider a fixed 2r-tuple y G T^^' and an index i with 1 ^ i ^ 2r. If there is no 
index j with 1 ^ j ^ 2r and j i for which 

yi = yj or yi = A{yj), (8) 

then in view of our hypothesis that yi ^ A{yi), it follows that the polynomial hy{x) has a zero of 
order precisely a at —y^ in the situation where l^i^r, org— 1 — aat —yi in the situation where 
r + 1 ^ i ^ 2r. Write B for the set of 2r-tuples y E 7"^^ having the property that, for each index i 
with 1 ^ i ^ 2r, there exists an index j with 1 ^ j ^ 2r and j ^ i for which (8) holds. It follows 
that if hy{x) is to be a dth power in F[x], then one must have y & B. On the other hand, when 
y G T^^' \ B, the polynomial hy{x) is not a dth power in F[x], and has at most 4r distinct roots. In 
such a situation, we therefore deduce from Lemma 5.1 that 

is bounded in absolute value by (4r — l)y^. Meanwhile, irrespective of the value of y, the expression 
z^(y) is trivially bounded in absolute value by q. Substituting these estimates into (7), we arrive at 
the upper bound 

e'^^\rnsr-'{ l-(y)l^ + El-(y)l') 

yer2'-\B yes 

^ |7-|2r|5|4r-2 ((4^ _ l)2^|7-|2r ^ ^2|^|) _ (9) 
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It remains now only to bound \B\. We establish shortly that the 2r-tuples y lying in B are 
generated via the relations (8) from at most r of the coordinates Ui of y. With this in mind, we 
begin by bounding the number of 2r-tuples y generated from one such r-tuple. Suppose that there 
are I distinct values amongst yi, . . . ,y2ri say j/j^ = ui, . . . = vi, with respective multiplicities 
ai, . . . ,ai. Considering a fixed choice vi, . . . ,vi, the number of ways in which yi, . . . , y2r may be 
selected to satisfy the multiplicity condition is (2r)!/(ai!a2! • • • a/!)- 

Next we identify a directed graph with vertices labelled by the distinct elements vi, . . . ,vi of 
F as follows. We consider the vertices vi,V2, ■ ■ ■ ,vi in turn. At stage i we consider all elements Vj 
with A{vj) = Vi. If no such element Vj exists, then we add no edge. If one or more exist, on the 
other hand, then we select one such element vj at random, and add a directed vertex from vj to 
Vi. Notice that, since vi,. . . ,vi are distinct, it follows that there can be at most one directed edge 
leaving any given vertex. Also, by construction, there is at most one directed edge arriving at any 
given vertex. Furthermore, in view of the criterion (8), any vertex Vk which possesses no edges 
must necessarily have multiplicity a/^ ^ 2. In this way, we see that the graph constructed in this 
manner consists of at most a union of isolated vertices, non-branching paths of the shape 



In the latter two cases, of course, one has k ^ 2. For each non-branching path of type (10), we 
call the element Vi^ the root of the path. For each cycle of type (11), we call the element Vi-^ a 
root of the cycle, though of course which element we label as Vi^ is unimportant. Notice that 
since Vi^_^_-^^ = A{vi^^J for each m < k, roots uniquely determine all elements in the repective paths 
and cycles by repeated application of A. Consequently, all of the elements vi, . . . ,vi are uniquely 
determined by the identities of the roots, and the indices defining the paths, cycles and isolated 
vertices of the graph. 

Denote by z the number of paths and cycles in the graph, and by w the number of isolated 
vertices in the graph. Then on considering the multiplicities associated with the elements vi, . . . ,vi, 
one finds that 



The number of elements from T that can occur as roots and isolated vertices is consequently at 
most 1 7'!^+"' ^ \T\^ . We estimate the number of possible arrangements of indices defining the 
paths, cycles and isolated vertices as follows. Given each element Vi, we can attach to it a directed 
path going to another element Vj in at most I — 1 ways, or choose not to attach a directed path 
from it. Thus there are in total at most ((/ — 1) -|- 1)' possible arrangements of indices defining the 
paths, cycles and isolated vertices amongst the I elements vi, . . . ,vi. Combining the estimates that 
we have assembled thus far, we conclude that 




(10) 



and cycles of the shape 




(11) 



2z + 2w !^ ai + . . . + ai = 2r. 



ai + ...+aj=2r 

Finally, on substituting this estimate into (9), we obtain 




and the conclusion of the theorem follows on extracting 4r-th roots. 



□ 
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A direct computation yields the following corollary. 

Corollary 5.6. Let r] be a positive number with ij ^ 1. Then under the hypotheses of the statement 
of Theorem 5.5, one has 

Y]Y.^a{s + y)xh{s + A{y))\<ii\T\\S\ (12) 
whenever |T| > {2r)'^q^^^ and \S\ > ^rq^^"^ /rf"^ . 

Proof. Recall the notation of the statement of Theorem 5.5. When |T| > {2r)^q^/'^ , we find that 

Xf = (4r - 1)2 + {2rf'-q\T\-' < (4r - 1)^ + 1< I6r\ 
But then the upper bound (12) follows from Theorem 5.4 provided only that 

(16r2)l/(4r)gV(4r)|5|l-l/(2r)|^| < 

as is the case whenever |5| > 4:rq^^'^ /rj'^^ . □ 

Proof of Theorem 5.4- We verify that the hypotheses of Theorem 5.4 imply the conditions on |5| 
and in in Corollary 5.6, for r = 1 + [(2 log g)/ log \T\\ > 3. We then have g^/^- < \r\ < g^/C^^-i), 
and for large enough q we get 2r < logg. Therefore \T\ > (log g)^|r|^/2 > {2r)^q^/''. 

Moreover, I/t?^'^ < |r|2"''/7 < g(4a/7){r/(r-i)) < ^(4a/7){3/2)^ ^^^^^ fo^, j^^^g^ g^ough q we 

have 

|5| > 4(log^)gl/2+6a/7 > 4^gl/2/^2r^ 

as required. □ 

6 Application to Privacy Amplification 

Following [KR09], we define a privacy amplification protocol {Pa, Pb), executed by two parties Alice 
and Bob sharing a secret X G {0,1}", in the presence of an active, computationally unbounded 
adversary Eve, who might have some partial information E about X satisfying Hoo{X\E) ^ k. 
Informally, this means that whenever a party (Alice or Bob) does not reject, the key R output by 
this party is random and statistically independent of Eve's view. Moreover, if both parties do not 
reject, they must output the same keys Ra = Rb with overwhelming probability. 

More formally, we assume that Eve is in full control of the communication channel between 
Alice and Bob, and can arbitrarily insert, delete, reorder or modify messages sent by Alice and 
Bob to each other. In particular. Eve's strategy Pe actually defines two correlated executions 
{Pa, Pe) and {Pe, Pb) between Alice and Eve, and Eve and Bob, called "left execution" and "right 
execution", respectively. We stress that the message scheduling for both of these executions is 
completely under Eve's control, and Eve might attempt to execute a run with one party for several 
rounds before resuming the execution with another party. However, Alice and Bob are assumed 
to have fresh, private and independent random tapes Y and W, respectively, which are not known 
to Eve (who, by virtue of being unbounded, can be assumed deterministic). At the end of the 
left execution {Pa{X,Y), Pe{E)), Alice outputs a key Ra G {0, 1}™ U {-L}, where _L is a special 
symbol indicating rejection. Similarly, Bob outputs a key Rb G {0, 1}™" U {_L} at the end of the 
right execution {Pe{E), Pb{X,W)). We let E' denote the final view of Eve, which includes E and 
the communication transcripts of both executions {Pa{X,Y), Pe{E)) and {Pe{E), Pb{X,W). We 
can now define the security of {Pa,Pb)- Our definition is based on [KR09]. 
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Definition 6.1. An interactive protocol {Pa, Pb), executed by Alice and Bob on a communication 
channel fully controlled by an active adversary Eve, is a (k, m, e)-privacy amplification protocol if 
it satisfies the following properties whenever H^[X\E) > k: 

1. Correctness. If Eve is passive, then Fi[Ra = Rb A Ra t^-L A Rb t^-L] = 1- 

2. Robustness. We start by defining the notion of pre- application robustness, which states that 
even if Eve is active, Pr[RA ^ Rb ^ Ra /-L A Rb /-L] ^ e. 

The stronger notion of post- application robustness is defined similarly, except Eve is addition- 
ally given the key Ra the moment she completed the left execution {Pa,Pe), and the key 
Rb the moment she completed the right execution {Pe, Pb)- For example, if Eve completed 
the left execution before the right execution, she may try to use Ra to force Bob to output 
a different key Rb {Ra, -L}, and vice versa. 

3. Extraction. Given a string r G {0, 1}™U{_L}, let purify(r) be _L if r =_L, and otherwise replace 
r 7^_L by a fresh m-bit random string Um'- purify(r) ^ Um- Letting E' denote Eve's view of 
the protocol, we require that 

A{{RA,E'),{punfy{RA),E'))<e and A{{Rb, E'), {punfy (Rb), E')) < e 

Namely, whenever a party does not reject, its key looks like a fresh random string to Eve. 

The quantity k — m is called the entropy loss and the quantity log(l/e) is called the security 
parameter of the protocol. 

6.1 Caseoffc>ra/2 

Given a security parameter s, Dodis and Wichs showed that a non-malleable extractor, which 
extracts at least 21ogn + 2s + 4 number of bits with error e = 2~^~^, yields a two-round protocol 
for privacy amplification with optimal entropy loss, which also uses any (regular) extractor Ext with 
optimal entropy loss and any asymptotically good one-time message-authentication code MAC (see 
Definition 6.7), is depicted in Figure 1. 

Alice: X Eve: E Bob: X 



Sample random Y. 

Y > Y' 

Sample random W' . 

R' = nmExt(X;y')- 

T' = MACr,{W'). 

Set final Rb ^ Ext(A; W^')- 

iW,T) i {W',T') 

R = nmExt(X;y) 

If T 7^ MACr{W) reject. 

Set final Ra = Ext{X;W). 

Figure 1: 2-round Privacy Amplification Protocol for Hoo{X\E) > n/2. 
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Using the bound from Theorem 4.3 and setting e = 2 and m = s, we get the following 
theorem. 

Theorem 6.2. Under Conjecture 3.7 with constant c, for any s > there is a polynomial time 
computable (k, e) -non-malleable extractor with m = s and e = , as long as k > n/2+(c/2) logn + 
4s + 0(1). 

Using this theorem, we obtain the following. 

Theorem 6.3. Under Conjecture 3.7 with constant c, there is a polynomial-time, two-round pro- 
tocol for privacy amplification with security parameter s and entropy loss 0(logn + s), when the 
min-entropy k of the n-bit secret satisfies k > n/2 + (c/2 + 8) logn + 8s + 0(1). 

Using Weak Local Randomness. We notice that we can use Theorem 4.4 to argue that Alice 
does not need perfect local randomness Y to run the protocol in Figure 1. Indeed, since the output 
of the non-malleable extractor is only 0(s)-bit long, we only need the min-entropy of Y to be 0(s). 
Similarly, Bob could use a two-source extractor Ext with a weak seed W constructed by Raz [Raz05]. 
Assuming the entropy rate of X is above 1/2 + a for some a > 0, this extractor extracts Q{n) bits 
from X, and only needed the min-entropy of W to be 0(s) as well. To summarize, Alice and Bob 
can each use local sources of randomness of min-entropy only 0(s), and still extract Q{n) secret 
bits from X. 

6.2 Case of k = 5n 

Here we give our protocol for arbitrary positive entropy rate. We first give some preliminaries. 
6.2.1 Prerequisites from previous work 

Definition 6.4. An elementary somewhere-k- source is a vector of sources {Xi, ■ ■ ■ , Xc), such that 
some Xi is a fc-source. A somewhere k-source is a convex combination of elementary somewhere-fc- 
sources. 

Definition 6.5. A function Cond : {0,1}" — >■ ({0,1}"'')'^ is a (A; — >• k' ,e)- somewhere- condenser 
if for every fc-source X, the vector {Xi, . . . ,Xc) = Cond(X) is e-close to a somewhere- A;'-source. 
When convenient, we call Cond a rate-{k/n — )• k' /n' ,e)- somewhere- condenser. 

We are going to use condensers recently constructed based on the sum-product theorem. Specif- 
ically, we have the following theorem. 

Theorem 6.6 ([BKS'^'OS, Raz05, Zuc07]). For any 5 > and constant /3 > 0, there is an efficient 
family of rate-{5 — )• 1 — /3, e = 2~^^^'^^) -somewhere condensers Cond : {0, 1}" — )• ({0, l}"')*^, where 
C = poly(l/5) and n' = poly((^)n. 

One-time message authentication codes (MACs) use a shared random key to authenticate a 
message in the information-theoretic setting. 

Definition 6.7. A function family {MAC^j : {0,1}^^ {0,1}"} is a e-secure one-time MAC for 
messages of length d with tags of length v if for any w G {0, 1}"' and any function (adversary) 
A : {0, 1}- ^ {0, 1}*^ X {0,l}^ 
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Pr[MACH(VF') =T' ^W' \ {W ,T') = A(MAC^(u;))] < e, 
where R is the uniform distribution over the key space {0, 1}^. 

Theorem 6.8 ([KR09]). For any message length d and tag length v, there exists an efficient 
family of {\^'\2~'^')- secure MACs with key length i = 2v. In particular, this MAC is e-secure when 
V = logd + log(l/e). 

More generally, this MAC also enjoys the following security guarantee, even if Eve has partial 
information E about its key R. Let {R,E) be any joint distribution. Then, for all attackers Ai and 

Pr \M/KCr(W') =T' AW' \W = Ai(E), (W' ,T') = A2(MACr(W), E)] < 

(In the special case when R = U2v end independent of E, we get the original bound.) 

Finally, we will also need to use any strong seeded {k, e)-extractor with optimal entropy loss 
0(log(l/e)). A simple extractor that achieves this is the one from the leftover hash lemma, which 
uses a linear- length seed. We can also use more sophisticated constructions such as those in 
[GUV09, DKSS09], and the non-malleable extractor with short seed length [CRSll] to reduce 
the communication complexity of the protocol. 

6.2.2 The protocol 

Now we give our privacy amplification protocol for the setting when Hao{X\E) = k ^ 6n. We 
assume that the error e we seek satisfies 2"^^^"') < e < 1/n. In the description below, it will be 
convenient to introduce an "auxiliary" security parameter s. Eventually, we will set s = log(C/e) + 
0(1) = log(l/e) + 0(1), so that 0(C)/2'* < e, for a sufficiently large 0(C) constant related to the 
number of "bad" events we will need to account for. We will need the following building blocks: 

• Let Cond : {0,1}'" — ;> ({0,1}"')'^ be a rate-((5 — ^ 0.9, 2~*)-somewhere-condenser. Specifically, 
we will use the one from Theorem 6.6, where C = poly(l/(5) = 0(1), n' = poly(5)n = i}(n) 
and 2-' > 2-^('5"). 

• Let nmExt : {0,1}"' x {0,1}"^' {0,1}™' be a (0.9n', 2-^)-non-malleable extractor. Specifi- 
cally, we will use the one from Theorem 6.2 (which is legal since 0.9n' ^ n'/2 + O(logn') + 
8s + 0(1)) and set the output length m' = 4s (see the description of MAC below for more on 
m'.) 

• Let Ext : {0, 1}'" x {0, 1}'' — )■ {0, 1}"' be a (k' , 2~'')-extractor with optimal entropy loss k' — m = 
0(s). Specifically, we will set k' = k — (70 + ll)s = k — 0(s), which means that m = k — 0(s) 
as well. We will use the notation Exta..b{X;W), where 1 ^ a ^ 6 ^ m, to denote the sub- 
string of extracted bits from bit position a to bit position b. We assume the seed length 
d ^ n (e.g., by using a universal hash function, but more seed-efficient extractors will work 
too, reducing the communication complexity). 
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• Let MAC be the one-time, 2~*-secure MAC for d-bit messages, whose key length V = m! 
(the output length of nmExt). Using the construction from Theorem 6.8, we set the tag 
length = s + logd ^ 2s (since d ^ n ^ 1/e ^ 2*), which means that the key length 
e = m! = 2v' ^ 4s. 

• Let IrMAC be the another one-time ("leakage-resilient") MAC for d-bit messages, but with 
tag length v = 2v' ^ 4s and key length ^ = 2?; ^ 8s. We will later use the second part of 
Theorem 6.8 to argue good security of this MAC even when v' bits of partial information 
about its key is leaked to the attacker. To not confuse the two MACs, we will use Z (instead 
of R) to denote the key of IrMAC and L (instead of T) to denote the tag of IrMAC. 

Using the above building blocks, the protocol is given in Figure 2. To emphasize the presence of 
Eve, we will use 'prime' to denote all the protocol values seen or generated by Bob; e.g.. Bob picks 
W[, but Alice sees potentially different Wi, etc. Also, for any random variable G used in describing 
our protocol, we use the notation G =_L to indicate that G was never assigned any value, because 
the party who was supposed to assign G rejected earlier. The case of final keys Ra and Rb becomes 
a special case of this convention. 

Our protocol proceeds in C + 1 Phases. During the first C Phases, we run C sequential copies of 
the two-round protocol for the entropy-rate greater than 1/2 case (see Figure 1), but use the derived 
secret Xi (output by the somewhere-condenser) instead of X during the i-th run. Intuitively, since 
one of the values Xi is expected to have entropy rate above 1/2, we hope that the key Zi extracted 
in this Phase is secret and uniform. However, there are several complications we must resolve to 
complete this template into a secure protocol. 

The first complication is that Eve might not choose to execute its run with Alice in a "syn- 
chronous" manner with its execution with Bob. We prevent such behavior of Eve by introducing 
"liveness tests" , where after each Phase Alice has to prove that she participated during that Phase. 
Such tests were implicit in the original paper of Renner and Wolf [RW03], and made explicit by 
Khanakurthi and Reyzin [KR09]. Each liveness test (except for the last one in Phase C + 1, to be 
discussed) consists of Bob sending Alice a seed for the extractor Ext (which is anyway sent dur- 
ing the i-th Phase), and Alice responding with the first s bits of the extracted output. Intuitively, 
although Eve may choose to maul the extracted seed (which might be possible for all Phases, where 
the entropy rate of Xi is below 1/2), Eve cannot predict the correct output without asking Alice 
something. And since Bob does uses a new liveness test between every two Phases, this effectively 
forces Eve to follow a natural "synchronous" interleaving between the left and the right executions. 

The second complication comes from the fact that after a "good" (rate above 1/2) Phase i is 
completed, the remaining phases might use low-rate sources Xi^i, . . . ,Xc- Hence, one needs a 
mechanism to make sure that once a good key is extracted in some a-priori unknown phase, good 
keys will be extracted in future phases as well, even if the remaining derived sources Xi have low 
entropy-rate. This is done by using a second message authentication code IrMAC, keyed by a value 
Z'-_-^ extracted by Bob in the previous Phase (i — 1), to authenticated the seed sent in Phase i. 
The only subtlety is that Bob still sends the original MAC of W^, and this MAC might be correlated 
with the previous extracted key Zi-i (especially if the Phase i uses "bad-rate" Xi). Luckily, by 
using the "leakage-resilient" property of our second MAC (stated in Theorem 6.8), and setting the 
parameters accordingly, we can ensure that Z'-_^ has enough entropy to withstand the "leakage" of 
the original MAC of VF/. 
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Alice: X 



Eve: E 



Bob: X 



(Xi,...Xc) = Cond(X). 
Sample random Yi. 



Ri = nmExt(Xi; Yi) 

If Ti ^ MkC^AWi) reject. 

Zi = £xt,+i„,+i{X-Wi). 

For i = 2 to C 

Sample random Yi. 
S,-i = Exti..,(X;W,_i). 



If Li ^ \rMACz,_,iWi) reject. 
Ri = nm£xt{X i]Yi). 
IfT, ^ MACfl,(W,) reject. 
Z, = Ext,+i..,+f(X;WO. 
EndFor 

Re-assign Zc = Exti..,„/(X; Wc)- 
Sample random Wc+i- 



Set final Ra = Ext(X; VFc+i)- 



Phase 1 



(W^i,Ti) ^ 



^Yl 



iWi,Ti) 



Phases 2..C 



^l^TiL'i) 



Phase C + 1 



{Sc.Wc+i) 



(Xi,...Xc) = Cond(X). 



Sample random W{. 
R[ = nmExt(Xi;y/) 
Ti = MACR,{Wi). 



For i = 2 to C 

Sample random W/. 



If ^ Exti..,(X;W^/_i) reject. 

L^lrMACz' 

i?^ = nmExt(X,;r/). 

r/=MACfl;(MA'). 



EndFor 



Z'c^Exti„,n'{X;W^) 



IfS'c ^ UkCz'^{W'c^^) reject. 
Set final Rb = Ext(X; W'^^^). 



Figure 2: (2C + l)-round Privacy Amplification Protocol for Hqq{X\E) > 5n. 
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The template above already ensures the robustness of the protocol, if we were to extract the key 
Zc (or Zq for Bob) derived at the end of Phase C. Unfortunately, it does not necessarily ensure 
that Alice outputs a random key (i.e., it does not guarantee the extraction property for Alice). 
Specifically, by making Alice's execution run faster than Bob's execution, it might be possible for 
Eve to make Alice successfully accept a non-random seed Wc, resulting in non-random key Zc- 
Intuitively, since all the Xj's except for one might have low entropy rate, our only hope to argue 
security should come from the non-malleability on nmExt in the "good" Phase i. However, since 
Bob is behind (say, at Phase j < i) Alice during the good Phase i, Bob will use a wrong source 
Xj for the non- malleable extractor, and we cannot use the non-malleability of nmExt to argue that 
Eve cannot fool Alice into accepting a wrong seed Wi (and, then, wrong VFj+i, . . . , Wc)- Of course, 
in this case we know Bob will eventually reject, since Eve won't be able to answer the remaining 
liveness tests. However, Alice's key Zc is still non-random, violating extraction. 

This is the reason for introducing the last Phase C + 1. During this phase Alice (rather than 
Bob) picks the last seed Wc+i and uses it to extract her the final key Ra- Therefore, Ra is now 
guaranteed to be random. However, now we need to show how to preserve robustness and Bob's 
extraction. This is done by Alice sending the MAC of Wc+i using they key Zc she extracted 
during the previous round. (We call this MAC Sc rather than Tc+i, since it also serves as a 
liveness test for Alice during Phase (C -|- 1).) From the previous discussion, we know that, with 
high probability, (a) either Zc is non-random from Eve's perspective, but then Bob will almost 
certainly reject (ensuring robustness and preserving Bob's extraction); or (b) Zc = Z'q is random 
and secret from Eve, in which case the standard MAC security suffices to ensure both robustness 
and Bob's extraction. 

We detail the formal proof following the above intuition in the next section, which also estab- 
lishes the desired parameters promised by Theorem 1.5. 

6.2.3 Security Proof of Our Protocol (Proof of Theorem 1.5) 

We start by noticing that our protocol takes 2C -|- 1 = poly(l/(^) = 0(1) rounds and achieves 
entropy loss k — m = 0{Cs) = 0(poly(l/5) log(l/e)), as claimed. Also, the protocol obviously 
satisfies the correctness requirement. 

We will also assume that the side information E is empty (or fixed to a constant), since by 
Lemma 3.3, with probability 1 — 2"^*, Ho^{X\E = e) ^ — s, which will not affect any of our 
bounds. Before proving robustness and extraction properties of our protocol, we start with the 
following simple observation. 

Lemma 6.9. Let E' be Eve's view at the end of her attack (without the keys Ra and Rb used 
in the post- application robustness experiment)- Then, for any deterministic functions f and g, we 
have 

HooifiX) I g{E')) ^ H^ifiX)) - {7C - 3)s 
In particular, recalling that k' = H^{X) — (7C -|- ll)s, we have Hao{X\g{E')) ^ k' + 14s. 

Proof. Clearly, if it sufficient to prove the claim for g being identity, as it gives the predictor the 
most information to guess f{X). Also notice that, at best, if neither party rejects. Eve's view 
E' = {Yj,W',f',L',Wc+i), where y = {Y^,...,Yc], S = . . . , Sc}, W' = {W[,---,W'c], 
f' = {T[, . . . ,T^} and L' = {L'^, . . . , L^i- Since Y, W' and Wc+i are independent of X (and. 
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thus, f{X)), using Lemma 3.4 and recalling \Si\ = s for i < C, \Sc\ = \Tl\ = v' ^ 2s, \L'-\ = v ^ 4s, 
we have 

Hooif{X)\E') ^ Hoo{fiX)\iY,W',Wc+i))-\S\-\f'\-\L'\ 
= H^{f{X))-{C-l)s-v' -Cv' -{C-l)v 
^ HUf{X)) - (C - l)s - 2{C + l)s -{C- l)4s 
= HUf{X))-{lC-2,)s 

□ 

Next, we will argue the extraction property for Alice. 
Lemma 6.10. 

A((i?A, E'), (purify(iiA), ^0) «S 2"^+! 

Proof. Since purify(i2/i) = Ra when Alice rejects (i.e., Ra =-L), it is sufficient to show that Alice's 
key is close to uniform conditioned on Alice not rejecting, i.e. 

A((Ext(X; Wc+i),E'), {U„„ E')) ^ 2"^+! (13) 

By Lemma 6.9, Hoo{X\E') ^ fc' + 14s. Using Lemma 3.3, we get that Vie>^E'[Hoo{X\E' = 
e') ^ k'] ^ 1 — 2~^. Since Ext is (fc', 2~'^)-extractor, Equation (13) immediately follows the triangle 
inequality and the security of the extractor, by conditioning on whether or not Hoq{X\E' = e') ^ 
k'. □ 

Next, we notice that in order to violate either robustness of Bob's extraction. Eve must make 
Bob accept (i.e., Rb t^-L)- Therefore, we start by examining how Eve might cause Bob to accept. 
Notice, since Alice sends C + 1 messages, including the first and the last message. Eve can make 
C + 1 calls to Alice, which we call Alicei, . . . , Alicec+i, where, for each call Alicei, 1 ^ i ^ C + 1, 
Eve gets back the message sent by Alice during Phase i. Additionally, Alice also computes her key 
Ra in response to Alicec+i (and gives Ra to Eve, in addition to Sc and Wc+i, for post-application 
robustness). Similarly, Eve can also make C + 1 calls to Bob, denoted Bobi, . . . , Bobc+i, where 
each call Bobi expects as input the message that Alice supposedly sent to Bob in Phase i. When 
i ^ C, Bob responds to such a message with his own message in Phase i. When i = C + 1, 
Bob computes his key Rb (and gives Rb to Eve for post-application robustness). Clearly, the 
(C + 1) calls to Alice must be made in order, and the same the (C + 1) calls to Bob. However, 
a malicious Eve might attempt to interleave the calls in some adversarial manner to make Bob 
accept. We say that Eve is synchronous if he makes his oracle calls in the ("synchronous") order 
Alicei, Bobi, Alice2, Bob2, Alicec+i, Bobc+i- We notice that, without loss of generality. Eve 
always starts by making the Alicei{) call, since this call has no inputs Eve needs to provide. Namely, 
Eve must as well find out the values Yi first, and, if she wants, delay using this value until later. 
With this convention in mind, we show that Eve must be synchronous in order to make Bob accept. 

Lemma 6.11. 

3C 

Pr[i?s 7^_L A Eve is not synchronous] ^ — (14) 
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Proof. As we said, we assume Eve always makes the call Alicei first. After that, Eve makes C + 1 
calls to Bob and C calls to Alice in some order. We claim that for every 1 ^ i ^ C, Eve must 
make at least one call to some Alice j in between two successive calls Bohi and -Bo6j+i. If we 
show this (with total failure probability from Equation (14)), Eve must be synchronous, since the 
synchronous scheduling is the only scheduling that starts with Alicei and has a fresh call to Alice 
between Bohi and Bob2, Bob2 and Bobs, ■ ■ Bobc and Bobc+i- 

Given 1 ^ i ^ C, let Fi denote the event that Eve's scheduling of calls made two successive calls 
Bobi and Bobi^i without a fresh call to some Alice j, and Bob does not reject after the call Bobi+i. 
We claim that Pr[Fj] ^ 3/2^. The bound from Equation (14) then follows by simply taking the 
union bound over all i. We consider two cases: 

Case 1: 1 ^ i < C . In this case, after the call Bobi{-, •) is made. Bob picks a fresh seed W^, 
and returns it as part of the output. By assumption. Eve immediately makes a call BobiJ^i{S[, •), 
without any intermediate calls to Alice, and Bob rejects if S[ ^ Exti ^(X; Wl). Thus, to establish 
our claim it is sufficient to show that Pr[S',- ^ Exti.,.s(X; !¥/)] ^ 2>/2^. Intuitively, the bound on 
Pr[Fj] now follows from the fact that Ext is a good (strong) (/c', 2~*)-extractor, since, conditioned 
on Eve's information so far, the s-bit value Exti,,,s(X; W^') is 2~*-close to random, and, hence, 
cannot be predicted with probability better that 2~^ + 2~^ (the third 2~* is due to Lemma 3.3, 
since our extractor is assumed to be worst case, and is not needed for universal hash function 
extractors [DORS08]). 

A bit more formally, let Ei be Eve's view before the call to Bobi is made, and E[ = {Ei, T/, L^) 
be Eve's view after the call to Bobi is made. We notice that is a deterministic function of 
E* = {Ei,Z[_^,R[) and W^', since L[ = lrMAQ/_^ (VF^') and T[ = MACR/(VFi). Moreover, is 
freshly chosen even conditioned on E*. Thus, Pr[Fj] ^ Y'i[Eve{E* ,W'i) = Exti,,s(X; Wj')], where 
Wl is independent of (X, £"*). We also note that Hoo{X\Ei)) ^ k' + 14s, by Lemma 6.9, since Ei 
is a function of E' . Thus, ^oo(^l^r) > Hoc{X\Ei) - \Z[^^\ - \R[\ ^ k' + Us - As - 8s = k' + 2s. 
Using Lemma 3.3, Frf,*[HooiX\E* = e*) ^ k'] ^ I — 2~*, and the rest follows from the fact that in 
this case {]¥[, Exti..s(X; W/)) is 2~'^-close to (W/, Ug), as mentioned earlier. 

Case 2: i = C. In this case, after the call Bobc{-, •) is made. Bob picks a fresh seed VF^, and 
returns it as part of the output. By assumption. Eve immediately makes a call -Bo6j+i(5^, W^_^_^), 
without any intermediate calls to Alice, and Bob rejects if S'q ^ MACz'^(Wq_^_i), where Z'q = 
Exti...^/(X; Wl). Thus, to estabhsh our claim it is sufficient to show that Pr[5^ / MAC^/^(W^^^)] ^ 
3/2^. Completely similar to the previous case, we can argue that the value Z'^ used by Bob is 2^~*- 
close to Urn' conditioned on Eve's view so far. Moreover, the 2~*-security of MAC ensures that, 
when the key Z'^ is truly uniform. Eve cannot successfully forge a valid tag l\/IAC^/^(PV^^^) of any 
(even adversarially chosen) message W^-,^^ with probability greater than 2^'^, completing the proof 
of this case as well. □ 

Therefore, from now on we assume that Eve is indeed synchronous. Moreover, since Eve must 
make Bob accept, we assume Eve finishes the both left and right execution (with the last call to 
Bobc+i, hoping that Bob will accept). Also, by Theorem 6.6, we have that {Xi, • • • , Xc) is 2~^('^")- 
close to a somewhere rate-0.9 source. Thus, we will ignore the error and think of {Xi, • • • , Xq) as 
indeed being a somewhere rate-0.9 source, as it only adds 2"^^'^") <^ 2~^ to the total probability 
of error. Also, it is sufficient to show robustness and extraction for Bob properties assuming 
that (Xi,-- - ,Xc) is an elementary somewhere rate-0.9 source, since (Xi,--- ,Xc) is a convex 
combination of elementary somewhere rate-0.9 sources. Hence, from now one we assume that some 



23 



"good" index 1 ^ g ^ C satisfies Hoo{Xg) ^ 0.9n'. We stress that this index g is not known to 
Ahce and Bob, but could be known to Eve. We start by showing that, with high probabihty, Eve 
must forward a correct seed Wg = Wg to Alice in the "good" Phase g. 

Lemma 6.12. Assuming Eve is synchronous, 

Pi[Rb ^±/\Wg^ W'g\ ^ I (15) 

Proof. Let Eg_^ be Eve's view before the call to Aliccg. Note that Xg is a deterministic function 
of X, and Sg-i,L'g) is a deterministic function of Eve's transcript E' . Thus, by Lemma 6.9, 

H^{Xg\{E'g_^,Sg.i,L'g)) ^ H^iXg) - {7C - 3)s 

^ 0.9n' - (7C - 3)s 

= {n'/2 + 0(log n') + 8s + 0(1)) + s- (0.4n' - 0{Cs + log n)) 

^ {n'/2 + 0{logn') + 8s + 0{l)) + s 

where the last inequality follows since n' = poly(l/(5)n ^ 0{Cs + logn)). By Lemma 3.3, with 
probability 1 — over the fixings of Eg_^, Sg-i, L'g, the min-entropy of Xg conditioned on these 
fixings is at least n'/2 + O(logn') + 8s + 0(1). Notice also that the seed Yg is independent of 
Eg_i, Sg-i, L'g. Moreover, for the argument in this lemma, we will "prematurely" give Eve the 
value L'g already after the call to AlicCg (instead of waiting to get it from the call to Bobg). Let us 
now summarize the resulting task of Eve in order to make Wg ^ Wg, and argue that Eve is unlikely 
to succeed. 

After the call to Aliccg, with high probability the min-entropy of Xg conditioned on Eve's view 
is greater than n'/2 + O(logn') + 8s + 0(1), so that we can apply the non-malleability guarantees 
of nmExt given by Theorem 6.2. Alice then picks a random seed Yg for nmExt and gives it to Eve. 
(Synchronous) Eve then forwards some related seed Yg to Bobg (and another value Sg_^ that we 
ignore here), and learns some message Wg and the tag Tg of Wg, under key R'g = nmExt{Xg;Yg) 
(recall, we assume Eve already knows L'g from before). To win the game. Eve must produce a value 
Wg ^ Wg and a valid tag Tg of Wg under the original key Rg = nvnExt{Xg; Yg). 

We consider two cases. First, if Eve sets Yg = Yg, then Rg = R'g is 2~*-close to uniform by 
Theorem 6.2. Now, if Rg was truly uniform, by the one-time unforgeability of MAC, the probability 
that Eve can produce a valid tag Tg of a new message Wg ^ Wg is at most 2~^. Hence, Eve cannot 
succeed with probability more that 2"*"*"^ even with Rg which is 2~'^-close to uniform, implying the 
bound stated in the lemma (since we also lost 2~^ by using Lemma 3.3 at the beginning). 

On the other hand, if Eve makes Yg / Yg, Theorem 6.2 implies that A{{Rg,R'g), {Um',R'g)) ^ 
2"'^. Thus, the tag Tg under R'g is almost completely useless in predicting the tag of Wg under 
(nearly random) Rg. Therefore, by 2~** security of MAC, once again the probability that Eve can 
successfully change Wg without being detected is at most 2~*"^^ (giving again the final bound 
3/2^). □ 

Now, we want to show that, once Eve forwards correct Wg = Wg to Alice in Phase g. Eve must 
forward correct seeds Wi = Wl in all future phases i = g + 1, . . . ,C. We start by the following 
observation, which states that the derived keys Z^_-^ used by Bob in IrMAC look random to Eve 
whenever Eve forwards a correct key Wi-i = W-_^ to Alice. 
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Lemma 6.13. Assume Eve is synchronous, 2 ^ i ^ C , and Eve forwards a correct value Wi-i = 
Wl__^ to Alice during her call to Alicci. Also, let Ei he Eve's view after the call to AlicCiiWi-i, ■, ■). 
Then 

A{iZU,E,),{Ue,E,))^^ (16) 

Proof. Notice that Ei = {Ei-i,Wl_^,Tl_^, L^_^, Si-i,Yi), where -Ej-i is Eve's view after the cah 
to Alicci-i. For convenience, we replace the two tags Tl_-^^, L'-_-^ of Wl_i by the corresponding 
MAC keys Ri_i, Z[_2^ respectively, since this gives Eve only more information. Also, since Wi^\ = 
we know that the value = Exti ^(X; Wj_i) = Exti. ,j(X; l^/_]^). Recalling that Z'-_-^ = 
Exts+i..s+i{X;Wl_i), and denoting "side information" by E* = {Ei^i, R'-_^, Zl_2,Yi), it is enough 
to argue 

Ai{E:,WU^xii..siX;WU),Exts+i..s+iiX;WU)) , (E* ,WU^^^i.AX;WU),Ui)) ^ | (17) 

where we notice that E* is independent of the choice of random Wl_i. In turn. Equation (17) follows 
from the fact that Ext is (k', 2~^)-extractor provided we can show that HooiX\E*) ^ k + s. Indeed, 
the first error term 2^* comes from Lemma 3.3 to argue that Prg* [Hoo{X\E* = e*) ^ k] ^ 1 — 2~^, 
and the other two error terms follow from the triangle inequality and the security of the extractor 
(first time applies on the first s extracted bits, and then on all s + i extracted bits). 
So we show that HooiX\E*) ^ k + s. 

Hoo{X\E*) = HooiX\Ei^i, R[_i, Zl_2,Yi) 

^ Hoo{X\Ei_i,Yi) - \R^_-^^\ - \Z-_2\ 
= Hoo{X\Ei.i) - m' - i 
^ k' + Us - 4s - 8s 
= k' + 2s 

where the first inequality used Lemma 3.4, the second equality used the fact that Yi is independent 
of {X,Ei-i), and the second inequality used Lemma 6.9, since -Ej-i is deterministic function of 
E'. □ 

Next, we use Lemma 6.12 and Lemma 6.13 to show that, with high probability, Alice and Bob 
must agree on the same key Zc = Z'^ when they reach the last Phase {C + 1). 

Lemma 6.14. Assuming Eve is synchronous, 

4(7 

Pt[Rb ^±/\Zc^ Z'c] ^ — (18) 

Proof. Since Zc = Exti „iiiX;Wc) and Z'c = Exti ,,m'(-'^; ^c")' Set 
Fv[Rb ^± A Zc ^ Z'c] ^ Ft[Rb^±/\Wc^W!j] 

c 

< Pr[i?B ^±AWg^ W;^] + J2 ^ ^^-1 = ^/-i ^ Wl] 

i=g+l 

^ ^ + iC-l)- maxPr[RB /± A Wi^i = WU A / Wl] 

1^ i>g 
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where the second inequahty states that in order for Wc 7^ ^c*' either we must aheady have 
Wg / Wg (which, by Lemma 6.12, happens with probabihty at most 3/2'^), or there must be some 
initial Phase i > g where Wi-i = Wl_^ stih, but Wi / W^. Thus, to estabhsh Equation (18), it 
suffices to show that, for any Phase g < i ^ C, 

Pr[RB /± A W^^i = WU A / W^/] ^ ^ (19) 

Intuitively, this property follows from the unforgeability of IrMAC, since Eve must be able to 
forge a valid tag Li of Wi 7^ W/, given a valid tag of W[ (under the same = Z[_^ since = 
W[_^. The subtlety comes from the fact that Eve also learns the ?;'-bit value T[ = MACjij' (VF/), 
which could conceivably be correlated with the key Z[_^ for IrMAC. Luckily, since the tag length 
V of IrMAC is twice as large as v' , Theorem 6.8 states that IrMAC is still unforgeable despite this 
potential "key leakage". 

More formally, if Eve forwards a correct value = Wl_i, both Alice and Bob use the same 

key = = Exts+i. ^+f (X; VFj'_^) to IrMAC during Phase i. Moreover, by Lemma 6.13, we 
know that this key looks random to Eve right before the call to Bobi/. A{{Z'-__-^^, Ei), (Ui, Ei)) ^ 
where Ei is Eve's view after the call to Alicei{Wi-i, •, •). After the call to Bobi, Eve learns the tag 
of Wl, and also a v'-hit value T', which, for all we know, might be correlated with the key Zl_^. 
Therefore, to argue the bound in Equation (19), it is sufficient to argue that Eve can succeed with 
probability at most in the following "truncated" experiment. After the call to Alicei, the actual 
key Zl_^ is replaced by uniform Z*_^ ^ Ug. Then a random message is chosen, its tag is given 
to Eve, and Eve is also allowed to obtain arbitrary v' bits of information about Z^_-^^. Eve succeeds 
if she can produce a valid tag Lj (under Z*_^) of a different message Wi 7^ W- . This is precisely the 
precondition of the second part of Theorem 6.8, where H^{Z*_^\E) ^ £ — v' = 2v — v/2 = 3v/2. 
Hence, Eve's probabihty of success is at most d2"'-3^/2 ^ ^2-^/^ = d2-'"' ^ 2"^ □ 

We need one more observation before we can finally argue Bob's extraction and robustness. 
Namely, at the end of Phase C, (synchronous) Eve has almost no information about the authenti- 
cation key Z'(j used by the Bob (and Alice, by Lemma 6.14) in the final Phase C + 1. 

Lemma 6.15. Assume Eve is synchronous, and let E'q be Eve's view after the call to Bobc- Then 

A{{Z'c,E'c I Rb ^±),{Um',E'c I Rb /^)) < ^ (20) 
Additionally, Hoo{X\{E'c, Z'(j)) ^ k' + 10s. 

Proof. The proof is similar to, but simpler than, the proof of Lemma 6.13. We notice that E'q = 
{Ec, W^, Tq,L'u), where Ec is Eve's view after the call to Alicec- For convenience, we replace the 
two tags T'fj,L'(j of W'fj by the corresponding MAC keys R'(j,Z'(j_^, respectively, since this gives 
Eve only more information. Recalling that Z'^j = Exti..m'(^; Wc)^ ^^^^ denoting "side information" 
by E"^ = (Ec, R'(j, Z'^_^), it is enough to argue 

A{{E*c,W^,Exti,,m'{X;Wl.)) , {E*c,W^,Um')) ^ | (21) 

where we notice that Eq is independent of the choice of random Wq. In turn. Equation (21) follows 
from the fact that Ext is (A;', 2~*)-extractor provided we can show that Hoa{X\E^) ^ k + s, where 
the extra error term 2~'* comes from Lemma 3.3 to argue that Prg* [Hao{X\EQ = e^) ^ k] ^ 1 — 2~*. 
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So we show that Hoo{X\E^) ^ k + s. 

Hoo{X\E^) = Hoo{X\Ec, R'c, 

^ Hoo{X\Ec) - \R'c\ - \Z'c.2\ 
= H^{X\Ec) - m' - i 
^ k' + Us - 4s - 8s 
= k' + 2s 

where the first inequahty used Lemma 3.4, and the second inequahty used Lemma 6.9, since E(j is 
deterministic function of E'. 

The final claim Hao{X\(E'^, Z'^)) ^ k' + Ws follows from Lemma 3.4 and fact that H^{X\E'(~,) ^ 
k' + 14s (Lemma 6.9) and \Z'^\ = m' 4s. □ 

Lemma 6.14 and Lemma 6.15 imply that, in order for the synchronous Eve to have a non-trivial 
chance to make Bob accept, at the end of Phase C Alice and Bob must agree on a key Zc = Z'q 
which looks random to Eve. Moreover, X still has a lot of entropy given Z'q and Eve's view so 
far. Thus, to show both (post-application) robustness and extraction for Bob, it is sufficient to 
show these properties for a very simply one-round key agreement protocol, which emulates the final 
Phase (C -|- 1) of our protocol with Alice and Bob sharing a key Zc = Z'q which is assumed to be 
random and independent from Eve's view so far. We start with post-application robustness. 

Post- Application Robustness: To cause Bob output a different key than Alice in Phase 
(C + 1), Eve must modify Alice seed Wc+i to / VFc+i, and then forge a valid tag S'^j 

of Wq^-^ under the shared key Zq = Z'q. For pre-application robustness, the unforgeability of 
MAC immediately implies that Eve's probability of success is at most 2"^^. However, in the post- 
application robustness experiment. Eve is additionally given Alice's final key Ka = Ext(X; VFc"-!,!). 
Luckily, since X has more than k' + s bits of min-entropy even conditioned of the MAC key Zc, 
security of the extractor implies that that the joint distribution of Zq and Ra looks like a pair of 
independent random strings. In particular. Eve still cannot change the value of the seed Wc+i in 
Phase (C + 1), despite being additionally given Alice's key Ra, since that key looks random and 
independent of the MAC key Zc = Z'q. 

Extraction for Bob: We just argued (pre-application) robustness of our protocol, which — 
for synchronous Eve — means that if Bob does not reject, then, with high probability, he outputs 
the same key Rb = Ext(X; VF^_|_]^) as Alice's key Ra = Ext(X; Wc+i). Thus, Bob's extraction 
is implied by Alice's extraction, which was already argued in Lemma 6.10. Alternatively, Alice's 
extraction can be seen directly, as she chooses a fresh seed Wc+i and HooiX\E'Q, Zc) ^ k' + 10s. 

This concludes the proof of Theorem 1.5. 



7 Future Directions 

There are several natural open questions. First, can we give a non-malleable extractor which 
outputs even one bit for entropy rate below 1/2? As far as we know, it is possible that our 
extractor works for lower min-entropy (although the Cohen- Raz-Segev extractor [CRSll] in full 
generality does not). Second, can we achieve optimal round complexity (2 rounds) and entropy 
loss (0(s)) for weak secrets with arbitrarily linear entropy dn? In principle, this problem would 
be solved if an efficient non-malleable extractor is constructed for entropy rate below 1/2. Finally, 
can we generalize our techniques to sublinear entropy? 
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A Generalizing the Non-Malleable Extractor 



We now generalize our earlier results to show that we get a non-malleable extractor even if M does 
not divide q — l. We still use the same function nmExt(a;, y) = h(logg{x + y)), with h : Zq_i — )• Zm 
given by h{x) = x mod M. 

Theorem A.l. There exists a constant c > such that for any n, k > n/2 + logn + c, and 
m < k/2 — n/4 — c, if we let h be as above for M = 2™, then the following holds. The function 
nmExt(a:,y) = h{logg{x + y)) is a {k,e) -non-malleable extractor for e = 0(722™+"/^"^/^). 

The main ingredient in our proof is Rao's generalization of Vazirani's XOR lemma [Rao07]. 
A.l A generalized XOR lemma 

We now extend Rao's generalization of Vazirani's XOR lemma. We need to modify his lemma 
because our output won't necessarily be uniform. 

Lemma A. 2. For every positive integers M < N, the function h : Z^r H = Z^/ defined 
above satisfies the following property. Let W,W' be any random variables onlj^ such that for all 
characters (f), 4>' on Zat with cf) nontrivial, we have \ E(^^r^^r,■J[(p[W)(|)' {W')]\ < a. Then {h{W), h{W')) 
is 0(aM log N + M/N)-close to the distribution (U,W'), where U is the uniform distribution on 
H which is independent ofW. 

To prove Theorem A.l assuming Lemma A. 2, we set N = q—l, (W, W') = {logg{X-^Y),logg{X-\- 
A{Y))), and we condition onY = y. Note that for (p an additive character, the function x(x) = 
(f){\ogg{x)) is a multiplicative character. Therefore, Theorem 5.4 shows that ((11^, VF')|y = y) 
satisfies the hypotheses of Lemma A. 2 for some ay, where Ey^y[Q;y] < a for a < q^/^2^~^/'^ < 
2n/4+2-fc/2_ -p^^g^ Lemma A.2, one finds that {{h{W), h{W'))\Y = y) is 0{ayM\ogN + M /N)- 
close to {{U,hiW'))\Y = y) for every y. Since this expression is linear in ay, we conclude that 
{h{W),h{W'),Y) is 0(aMlogiV + M/iV)-close to {U,h{W'),Y), as required. 

We now turn to the proof of Lemma A.2. First note that Lemma 3.8 is a special case. To handle 
h in the case that M ^[q — 1), note that a character on a group G has one Fourier coefficient |G| 
and the rest 0. We show that if the £i-norm oi (f)oh\s not much bigger than this, then we get the 
desired conclusion. 

Lemma A. 3. Let G and H be finite abelian groups. Let (W, W) be a distribution on G x G with 
I ''^')(^' — f'^^ nontrivial characters ijj and all characters ip' . Let h : G ^ H 

be a function such that for every character cp of H , we have that 

110^11^1 < h\G\. 

Then \\{h{W),h{W')) - {h{U),h{W'))\\^i < ba\H\. 

Proof Let g : H X H ^ Chethe difference of distributions {h{W),h{W')) - {h{U),h{W')), and 
let / : G X G — ;> C be the difference of distributions {W, W) - {U, W). By Lemma 3.8, we have 
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?<x>| < a. Let (j) and (j)' be any characters of with <j) nontrivial. Then 

\g{ct>,n = mA').9 = {h{W)MW'))-{h{U)MW')))\ 
= \{{cpA')°h,f = {W,W')-{U,W'))\ 

= m':^ohJ)\/\G\' 

< \u':^ohy\\f\u^/\G\' 

< \\{(^oX^oh)y.a/\G\^. 

But now 

\\{^oX^oh)y = 1(^,^)1 < < {b\G\)\G\. 

Puttmg these together yields \g{<j), < ba. When <j) is trivial, as in Lemma 3.8, one has g{(j), 4>') = 
0. By (1), this implies H^H^i < \H\ha, as required. □ 

We bound h using the following lemma by Rao, renormalized to our setting. 

Lemma A. 4. Let M < N be integers, and let h : Zjv — ^a/ be the function h{x) = x mod M. 
Then for every character (j) ofl^M, we have \\(j)o h\\£i = 0{N log N). 

Thus, we may take b = 0(log N) in Lemma A. 3. Finally, we use the following simple lemma 
from Rao. 

Lemma A. 5. Let M < N be integers, and let h : Zjy — )• ^a/ be the function h{x) = x mod M . 
Then for U the uniform distribution on Z^, we have that h{U) is 2M /N -close to the uniform 
distribution on Z^/. 
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